CredentialsProvider.CREATE and the like are now scoped to ITEM, yet they can be (in fact are usually) checked at the global level, and Jenkins is not an Item—it is an ItemGroup. So perhaps the scopes should be both ITEM and ITEM_GROUP.

(Would not matter for Permission.isContainedBy, since these uses scope inheritance, but an AuthorizationStrategy may want to know which permissions are actually checked at various levels.)

In fact it seems like a new scope might be in order, since the actual check is on CredentialsStore. So maybe this should define a custom scope (contained in ITEM).

Also CredentialsStore almost but not quite implements AccessControlled, which seems like an oversight.